Critical Unauthenticated RCE Flaw Threatens Kopia Backup Servers

Kopia serves as a popular open-source backup and restore tool for secure data snapshots. However, security researchers recently uncovered a critical flaw within its HTTP server implementation. Tracked as CVE-2026-45695, this vulnerability carries a severe CVSS score of 9.8. Specifically, the bug enables remote code execution (RCE) via a clever command injection technique. Consequently, security teams must act quickly to patch vulnerable instances immediately.

Understanding the Kopia SSH ProxyCommand Injection

The root of the issue lies in how Kopia processes external requests. For example, administrators sometimes start the Kopia HTTP server using the --without-password flag. This configuration allows the server to accept unauthenticated requests to a specific API endpoint. Therefore, unauthenticated users can easily send malicious payloads directly to the /api/v1/repo/exists handler.

Subsequently, the server forwards the user-supplied storage setup directly to the backend system. If the target environment utilizes an SFTP backend with external SSH enabled, the application builds a process command line. Furthermore, the backend code splits the incoming arguments using only literal space characters. Unfortunately, it completely lacks a proper tokenizer, quote handling controls, or strict input validation allowlists.

How the Exploit Triggers Without Credentials

Because of this parsing flaw, an attacker can append dangerous arguments to the configuration string. Specifically, inserting an -oProxyCommand=<cmd> token into the fields triggers the malicious behavior. OpenSSH naturally treats this directive as an instruction to execute commands through the host shell.

As a result, the shell execution happens before OpenSSH even attempts a network connection. Consequently, the injected command executes successfully even if the target destination remains completely unreachable. This gives the unauthorized attacker full command execution privileges as the local Kopia process user. Ultimately, the entire exploit requires no user interaction and finishes with just one HTTP request.

Affected Versions and Immediate Remediation

This critical vulnerability impacts multiple deployment environments running older software. To protect your infrastructure, you must verify your exact deployment version right away.

Vulnerable Releases

• Kopia installations running version 0.22.3 and all earlier builds are explicitly vulnerable.

Patched Releases

• Kopia installations running version 0.23.0 and above contain the official security fix.

Temporary Mitigations

If you cannot upgrade immediately, apply the official architectural mitigation. A newly introduced code patch disallows starting a server without an active password configuration. This block automatically activates whenever the system listens on any non-loopback network interface. Therefore, modifying your interface configurations helps reduce the active external attack surface.